ESA rules - adding events to alert

I am creating ESA Rules, but I see that alert generated by these rules usually contains only one event, not all events that participated in creation of the alert. I would like to add all related events into the alert for some of the rules.

This rule triggers an alert when we receive 10 events of specific type in one calendar day. The alert contains only 10th event.

How can I add all 10 events to the alert?

I know that one of the possibilities is using batch window or time batch window for accumulating the events until specific amount or time is reached and then releasing them all into the alert. Is there any other way how to achieve that?

Although, if I use it like that, I get error during deployment: ExprValidationException: Failed to validate select-clause expression 'window(*)': The 'window' aggregation function requires that the aggregated events provide a remove stream; Please define a data window onto the stream or use 'firstever', 'lastever' or 'nth' instead

It seems that it needs adding something like .win:time(1 day) before GROUP BY to define the window. Is it the most optimal way how to write such rule? I mean, if 1 day windows won't eat up too much resources?

It instructs the Esper engine to discard grouped data that has not been updated for the number of seconds supplied. It is there to help with performance as it removes data from the window when it has not been updated for the number of seconds supplied.